If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

IPTABLES question

server: linux location: NOC
I want to allow ssh access from our home PCs. At home we have cable/DSL modems, So the pubic address changes from time to time. But, I could get a static host name from no-ip.com

Can I use the acutal hostname on the iptables Right now, I am using
".......... -s 67.200.54.36 .............." in a iptable stmt, but I want to be able to use an acutal hostname for the source, which would get resolved by DNS automatically (no-ip.com)

As far i know, the names are resolved by iptables command during rule load; so it wont work like you expect. You will need to reload the rule each time that you ip changes, so it will be useless.
If you think deeply about that idea you will notice that it would be silly resolve the hostname on each packet/connection, wouldnt it?
Instead going on that way, why you dont just create a VPN between your home PC and your "corporate" network? It will be FAR more secure.

The idea about CRON inst bad but instead updating \Hosts thru CRON (that will be ineffective since iptables already resolved at rule load and it wont re-read hosts and/or DNS), you can use use a small script (thru CRON), deleting and reinserting that specific "allow" rule.

I think trying set your kernel to do name resolution on every packet it gets would probably be a bad idea (Dont cross the streams ). However, I also think you could easily use patch-o-matic to add the string matching module into netfilter and set up a rule that only allows the packets in if the hostname match is in the packet. Of course this could be spoofed but hey, nothings perfect I think it will still add a beneficial layer to at least keep the casual scanner at bay.

-Maest0

\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

First, some background on my understanding thus far: I was under the impression that iptables would ( from prior searching and readings ) look up the host-name each time the rule was called. This apparently is not correct ( found through testing because of this post. I think this may also answer Maestr0’s post. But even if it was so, using the new chain as I did you could mitigate most of the problems. ) What I found was that when the ruleset is loaded it does the DNS lookup, and holds that IP address until the rule is loaded again. ( *2 note quirk below )

God I love this site: posts like this make me learn!

Anyway, if that is the case, then to get the new IP address if it changed you would have to reload iptables ( bad idea, could slow things, jam things, or even open holes momentarily every time the entire ruleset reloaded ) or you could just reload that rule as cacosapo said.

So, for the example given ( notice I removed the logging for your.com )

In above, the “ -R” tells iptables to replace a rule, “ ssh_entries” says what chain the rule is in, “ 1 “ is the rule number in the chain, the rest is the rule to replace the old.

to get the rule number once the chain is loaded the first time, use
“ iptables –list –line-numbers -v “

If you need special treatment for the lookup ( I do not know how no-ip.com works ) you could still include that lookup in the CRON job, placing it in your /etc/hosts file.

One other note here, and someone may run into this so be mindful. The reason I used the /etc/hosts file initially, not only because of using no-ip.com, but also because, thinking that it would look up the host name each time the rule was called I thought it easier because you would not have to worry about placement of the rule in the table.
If you place a host name in a ruleset which requires a DNS lookup before the rule which allows DNS look-ups, the rule will fail and will not be loaded!

Hope this has helped, it helped me.

*1 Note here, if the host name resolves to multiple addresses the " -R " command will fail ( from the iptables man pages, and yes, I tried it )

*2 quirk: ( this worked for me )
run a ruleset with a destination host name, then do
“ iptables –list -v “
you will see the host name in the ruleset. Now run
“ iptables –list -n -v “
Since the “ -n “ tells iptables not to display host names, but use the IP address, you will see the IP address of the host name in the rule.
Now, again try
“ iptables –list -v “
no “ -n” but the IP address is still there!

" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

I would allow all port 22 but only allow key authorisation, not password authorisation.

Yes, no, yes ... I don’t think we got there yet .... this is just another layer.

If someone finds a flaw in SSH to exploit, they have to get by the firewall. Hopefully they will not find ( with a default drop on port 22 ) that any connections are possible there, so they won’t know to try, and if they do they won’t be allowed in ( again, hopefully, unless they find a flaw in Netfilter too. )

Just trying to stack the odds in our favor, but it is still just a gamble!

" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes